Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

ESXi, ESX security issue CVE-2013-5973 - Workaround and Known Issues (VMSA-2013-0016) (2066856)

Symptoms

This KB article documents a workaround for ESXi, ESX security issue CVE-2013-5973 and discusses known issues related to the patches for this issue. The issue itself and its remediation (patches) are documented in VMware Security Advisory VMSA-2013-0016. In essence, making a Virtual Machine and naming it with a name that ends with:

  • -flat
  • -rdm
  • -rdmp
is not allowed by these patches. Note that the Virtual Machine name is different than the names of the virtual disks attached to that Virtual Machine. For example, you cannot have a machine name such as virtual_machine-flat.
 
Workaround

In the event that patches cannot be deployed, a workaround is provided in the section “Resolution”.
 

Known Issues

Certain files names can no longer be used after deploying the patches

After deploying the patches, it is no longer possible to power or create a Virtual Machine with a name that ends in -flat, -rdm, or -rdmp. For example, “ the-earth-is-flat”. Symptoms are:
  • Creating a virtual machine fails with the error:

    Invalid Operation for device
  • Powering on an existing virtual machine (created prior to ESXi 5.5) fails with the error:

    Failed to start the virtual Machine (error -18)
Patches are not effective if /etc/vmware/configrules has been edited previously
 
In case /etc/vmware/configrules has been edited previously, the patches do not remediate the issue. In this case, the workaround discussed below must be used after the patches are applied.

Resolution

Workaround

Edit the ESXi, ESX /etc/vmware/configrules file and add the following reject rules for IDE & SCSI. Note that changes to the configrules file will not persist in case ESXi or ESX experiences an unclean shutdown after making the changes. For more information, see Applying vSphere host configuration changes after an unclean shutdown (2001780).

reject suffix_case "-flat.vmdk"
reject suffix_case "-rdm.vmdk"
reject suffix_case "-rdmp.vmdk"

For Example:

# Virtual IDE devices can point to VMFS volume, raw device, or virtual
# tools media.
rule "Virtual IDE Devices"
{
vm regex ".*" # IDE device backend. 2 controllers, 2 devices each
key regex "^ide[0-1]:[0-1]\.fileName$"

# Reject disk names that end in "-flat.vmdk" .
reject suffix_case "-flat.vmdk"
reject suffix_case "-rdm.vmdk"
reject suffix_case "-rdmp.vmdk"
}

# Virtual SCSI devices can point to VMFS volume or raw device.
rule "Virtual SCSI Devices"
{
vm regex ".*"

# SCSI device backend. 4 controllers, 16 devices each
key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.name$"
key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.fileName$"

# Reject disk names that end in "-flat.vmdk"
reject suffix_case "-flat.vmdk"
reject suffix_case "-rdm.vmdk"
reject suffix_case "-rdmp.vmdk"

# Only allow paths under /vmfs/ and relative paths
accept prefix_case "/vmfs/"
accept !prefix "/"
}

Known Issues
 
Certain files names can no longer be used after deploying the patches

Rename the Virtual Machine and remove -flat, -rdm, or -rdmp from the Virtual Machine name, its folder name and its configuration file names. For more information about renaming virtual machines, see Renaming a virtual machine and its files in VMware ESXi and ESX (1029513).
 

Patches are not effective if /etc/vmware/configrules has been edited previously

Apply the Workaround documented above after applying the patches.

Impact/Risks

Workaround

None

Known Issues
 
Certain files names can no longer be used after deploying the patches

In case Virtual Machines have -flat, -rdm, or -rdmp in the name, one may see entries in /tmp/vmware-root/vmware-panic.log file similar to:

[5C980B70 verbose 'Vmsvc.vm:/vmfs/volumes/52377ae8-91e42974-985e-001871ea6c1f/the-earth-is-flat/the-earth-is-flat.vmx'] Power On translated error to vim.fault.GenericVmConfigFault
[5C980B70 info 'Vmsvc.vm:/vmfs/volumes/52377ae8-91e42974-985e-001871ea6c1f/the-earth-is-flat/the-earth-is-flat.vmx'] Power On failed: vim.fault.GenericVmConfigFault
[5C980B70 verbose 'Vmsvc.vm:/vmfs/volumes/52377ae8-91e42974-985e-001871ea6c1f/the-earth-is-flat/the-earth-is-flat.vmx'] Power On message: Failed to start the virtual machine (error -18).-->
[5C980B70 info 'vm:Vix: [34489 foundryVM.c:11404]: FoundryVMMountStateChangeCallback: remount complete, set flag, VM = /vmfs/volumes/52377ae8-91e42974-985e-001871ea6c1f/the-earth-is-flat/the-earth-is-flat.vmx']
[FFA85B70 info 'Hostsvc'] Decremented SIOC Injector Flag2
[FFA85B70 warning 'Vmsvc.vm:/vmfs/volumes/52377ae8-91e42974-985e-001871ea6c1f/the-earth-is-flat/the-earth-is-flat.vmx'] Failed operation
[5C980B70 info 'vm:Vix: [34489 foundryVMPowerOps.c:980]: FoundryVMPowerStateChangeCallback: /vmfs/volumes/52377ae8-91e42974-985e-001871ea6c1f/the-earth-is-flat/the-earth-is-flat.vmx'] vmx/execState/val = poweredOff.[FFA44B70 verbose 'Vmsvc.vm:/vmfs/volumes/52377ae8-91e42974-985e-001871ea6c1f/the-earth-is-flat/the-earth-is-flat.vmx'] VM is not online; not registering notification for Bootsrap

Note: Patches are not effective if /etc/vmware/configrules has been edited previously (See above).

See Also

Update History

09/24/2014 - Updated the Symptoms section

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 0 Ratings
Actions
KB: